Received: by 2002:a25:e74b:0:0:0:0:0 with SMTP id e72csp1972971ybh; Tue, 14 Jul 2020 12:01:35 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw8ld7h0C3wQkwsy0Qgf1CQuSB0tWRsdGzv7y/vDr72PtdrLC7w7ID/OZyuzgGzSIXOO8im X-Received: by 2002:a17:906:c04d:: with SMTP id bm13mr5739472ejb.321.1594753295783; Tue, 14 Jul 2020 12:01:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1594753295; cv=none; d=google.com; s=arc-20160816; b=efqx1qVZnoUMKFoVdopAj9OIn70gu03hmqfHBCr7MNPuhbA1b2fjNoJ2d5PLURdoWd MPCbLHfMSamTDYOkg+RB6GYN2YJk78i0h2MmERElcgskVU7IQK4aVePS77nSQa8rQ4EJ VO8GJ1Owj1oFuM/bMLbg0semxuEgon8LHGVgy8AMHBXIkaj8Ue05mIWvaRCySPYEh+yZ iNVkwPz7rw1JXt378DluWx0L9Q4xbdehX32KGpdLvGn6xQcbOZX6cIAujTbkRnF5e8Ey PjvSxtDF3Cot9u/UvQI2Bc7mOZ7vYOzF1HgYSYiibttgtRWqktAifd6SOEWQ/dUCx3BX FdmA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=k33G5Izb+JyQVYU+EZrvRxEwocXWZWVmr47AxT0mD7Q=; b=tUDRVYihiOpvTd3Eg8dh2Otmgk0CYRLHWI1wfesVOtgd3ayQhOMi0CWbzoAAF25y2+ Cu7BGT5H6IwskOCKPhnNbZeDRiw32zGUHN2PT1k4QGL55vp1fguEjJUK4MDQteVxWPBJ d/JSErxbwcTX4NyTn9y1UoQQGjS6v1tYWLvYKRw1i5fZ5tddroylpYfe8BWWF64DVlnp i8NMSyopK/HyTSHXAKacVkQ8MU7E3bbybRrKAUknNjwm6z47Msz8+XWMj1FGLV4OkxPx 9OTSv7ultvGec9vXfEoO3aW/I9YrxtNZIpzLDMuNdvpVYJPhxzf+nRSHJJeja6xkZEi9 Etew== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=EYJrgTHh; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id d19si5216219ejj.468.2020.07.14.12.01.10; Tue, 14 Jul 2020 12:01:35 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=EYJrgTHh; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730524AbgGNTBH (ORCPT + 99 others); Tue, 14 Jul 2020 15:01:07 -0400 Received: from mail.kernel.org ([198.145.29.99]:58988 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730809AbgGNTAL (ORCPT ); Tue, 14 Jul 2020 15:00:11 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id B2331222B9; Tue, 14 Jul 2020 19:00:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1594753211; bh=imOiDUvX9IgMI4DgKmLXDbP4TlQTsiuChEG4SULf2I0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=EYJrgTHhUhtPF+6F1VSPisLCcfctAA/8NHBzeFY32dURW75WhgxLxaYJpAmN1PBUr dfLWvIpjk2YXVbjlVYQlQtOc71CeMrWC/UWcgZG1umMa4Fo2RESKNVvktwDDPaR/Fj lmNhklmX3k+zGQrKb1Z+uNaTCZGAMLBANpb7KYeE= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Sean Christopherson , Paolo Bonzini Subject: [PATCH 5.7 122/166] KVM: x86: Mark CR4.TSD as being possibly owned by the guest Date: Tue, 14 Jul 2020 20:44:47 +0200 Message-Id: <20200714184121.677249888@linuxfoundation.org> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200714184115.844176932@linuxfoundation.org> References: <20200714184115.844176932@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Sean Christopherson commit 7c83d096aed055a7763a03384f92115363448b71 upstream. Mark CR4.TSD as being possibly owned by the guest as that is indeed the case on VMX. Without TSD being tagged as possibly owned by the guest, a targeted read of CR4 to get TSD could observe a stale value. This bug is benign in the current code base as the sole consumer of TSD is the emulator (for RDTSC) and the emulator always "reads" the entirety of CR4 when grabbing bits. Add a build-time assertion in to ensure VMX doesn't hand over more CR4 bits without also updating x86. Fixes: 52ce3c21aec3 ("x86,kvm,vmx: Don't trap writes to CR4.TSD") Cc: stable@vger.kernel.org Signed-off-by: Sean Christopherson Message-Id: <20200703040422.31536-2-sean.j.christopherson@intel.com> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman --- arch/x86/kvm/kvm_cache_regs.h | 2 +- arch/x86/kvm/vmx/vmx.c | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) --- a/arch/x86/kvm/kvm_cache_regs.h +++ b/arch/x86/kvm/kvm_cache_regs.h @@ -7,7 +7,7 @@ #define KVM_POSSIBLE_CR0_GUEST_BITS X86_CR0_TS #define KVM_POSSIBLE_CR4_GUEST_BITS \ (X86_CR4_PVI | X86_CR4_DE | X86_CR4_PCE | X86_CR4_OSFXSR \ - | X86_CR4_OSXMMEXCPT | X86_CR4_LA57 | X86_CR4_PGE) + | X86_CR4_OSXMMEXCPT | X86_CR4_LA57 | X86_CR4_PGE | X86_CR4_TSD) #define BUILD_KVM_GPR_ACCESSORS(lname, uname) \ static __always_inline unsigned long kvm_##lname##_read(struct kvm_vcpu *vcpu)\ --- a/arch/x86/kvm/vmx/vmx.c +++ b/arch/x86/kvm/vmx/vmx.c @@ -3932,6 +3932,8 @@ void vmx_set_constant_host_state(struct void set_cr4_guest_host_mask(struct vcpu_vmx *vmx) { + BUILD_BUG_ON(KVM_CR4_GUEST_OWNED_BITS & ~KVM_POSSIBLE_CR4_GUEST_BITS); + vmx->vcpu.arch.cr4_guest_owned_bits = KVM_CR4_GUEST_OWNED_BITS; if (enable_ept) vmx->vcpu.arch.cr4_guest_owned_bits |= X86_CR4_PGE;